I've updated Ticket #7291 "implement http digest authentication" with
fixes for generating a stateless nonce. I'm looking for some help to
get this committed.
The nonce is based on time-stamp H(time-stamp ":" session.session_id).
An associated nonce_valid? method verifies that the timestamp is
recent.